Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of the Office of Medicaid (MassHealth) - Review of Continuity of Operations Plan

July 15, 2022 · Office of Medicaid (MassHealth) · Read the full official report on mass.gov ↗ · official site ↗

Published July 15, 2022 Audit covers January 1, 2020 – June 30, 2021 Under Suzanne M. Bump · 2011–2023

In plain English
MassHealth had plans for keeping Medicaid operations running during emergencies, but the auditor found those plans were outdated and had not been tested or practiced as required.
source
“MassHealth did not annually update its COOP or conduct staff training or exercises related to the plan.”
Read the plain-English breakdown
What is this?

This is a state audit of MassHealth’s emergency planning, especially whether it could keep key Medicaid systems running if something went wrong.

“OSA has conducted a performance audit of MassHealth’s continuity of operations plan (COOP) and disaster recovery plan (DRP) for its Medicaid Management Information System (MMIS) for the period January 1, 2020 through June 30, 2021.”
Why was it audited?

The auditor checked whether MassHealth followed state rules for emergency planning and disaster recovery for its Medicaid computer system.

“The purpose of this audit was to determine whether MassHealth complied with Executive Order 490 and Sections 6.1 and 6.2 of the Executive Office of Technology Services and Security’s Business Continuity and Disaster Recovery Standard IS.005.”
Why it matters

If MassHealth’s systems go down for a long time, people who rely on MassHealth could have trouble getting access to benefits.

“As a result, MassHealth is vulnerable to a disruption of services that could negatively affect its members if its IT capabilities are inoperable for an extended period.”
What's in it for me?

If you or someone you know depends on MassHealth, this matters because emergency planning helps protect access to healthcare benefits during a crisis.

“MassHealth provides access to healthcare for approximately 1.8 million low- and moderate-income children, families, seniors, and people with disabilities annually.”
The bottom line

The audit found two main problems: MassHealth had not kept its continuity plan current or practiced it, and it had not kept or tested its disaster recovery plan each year.

“MassHealth did not annually update or test its DRP.”
What happens next

MassHealth said it agreed with the recommendations and was working on updates, monitoring controls, written procedures, and moving disaster recovery to AWS.

“MassHealth agrees with the [Office of the State Auditor’s] recommendations listed above and has resumed its work to update the MassHealth COOP.”
Why it's significant

This is significant because Medicaid is a major state program, serving many residents and making up a large part of the Massachusetts budget.

“Medicaid expenditures represented approximately 40% of the Commonwealth’s total fiscal year 2021 budget.”
Jargon, unpacked

A continuity of operations plan is a playbook for keeping essential work going for up to 30 days when an emergency affects offices, systems, staff, or operations.

“The . . . Continuity of Operations Plan (COOP) provides a framework to ensure continued operation of mission essential functions for up to 30 days when an internal or external emergency impacts [an] Agency’s facilities, systems, personnel, and/or operations.”

What the Auditor checked

What the Auditor found

MassHealth did not annually update its continuity of operations plan or train and exercise staff on it.
internal controlsrecordkeeping/documentationpublic safety

Why it matters: MassHealth may not be able to continue providing all services during an emergency.

Standard: Executive Order 490 requires annual continuity of operations training, exercises, and plan updates. ( Executive Order 490, Section 4; Executive Order 490, Section 6 )

2 recommendations
  • MassHealth should establish monitoring controls to ensure that it properly adheres to the policies and procedures it has established for updating and testing its COOP.agency: agreed
  • MassHealth should work with EOHHS to annually update its COOP and conduct staff training and exercises.agency: agreed
Agency response & Auditor reply
Agency: "MassHealth agrees with the [Office of the State Auditor’s] recommendations listed above and has resumed its work to update the MassHealth COOP."
Auditor: "Based on its response, MassHealth is taking measures to address our concerns on this matter."
MassHealth did not annually update or test its disaster recovery plan and lacked an offsite MMIS recovery location.
cybersecurityinternal controlspublic safety

Why it matters: MassHealth is vulnerable to service disruptions that could negatively affect members if IT capabilities are unavailable for an extended period.

Standard: EOTSS Business Continuity and Disaster Recovery Management Standard IS.005 requires disaster recovery plans at primary and alternate offsite locations and annual testing. ( EOTSS Business Continuity and Disaster Recovery Management Standard IS.005, Section 6.2.1; EOTSS Business Continuity and Disaster Recovery Management Standard IS.005, Section 6.2.2 )

2 recommendations
  • MassHealth should establish written policies and procedures for assigning, managing, and monitoring its DRP.
  • MassHealth should identify an offsite disaster recovery location to use for MMIS.
Agency response & Auditor reply
Agency: "MassHealth will finalize and publish the policies and procedures for the MMIS Disaster Recovery Plan (DRP) by the end of calendar year 2022."
Auditor: "Based on its response, MassHealth is taking measures to address our concerns on this matter."

More audits of this entity

Other Office of the State Auditor reports on Office of Medicaid (MassHealth) .

See this entity's page with all 71 audits →